Hi folks, I've got a customer CA migration project I'm working on which just turned into a "complete replacement" project, including a new hierarchy. The old CA hierarchy will effectively go idle and not deliver any new certs. The customer has quite a few EFS certs deployed to laptop users. I will obviously investigate how to best perform the migration, but what is your own knowledge regarding how I can make this as seamless as possible? I would basically like all clients to automatically renew their existing EFS certificates with new ones from the new CA hierarchy so that they do not see any change. The absolute last thing I want is for people to lose access to data and for the IT team to run around with their recovery agent keys to decrypt data for 1,000 users. Your thoughts and experience are highly valued!

Hi, As long as the EFS certificate is not deleted, decommissioning CA will not impact the EFS decryption since EFS decryption does not check revocation. In addition, based on how autoenrollment works http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx, user should be able to automatically enroll a new EFS certificate from the new CA.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.